You would always use a localhost URL, with some port number that is unlikely to conflict with anything else.
Chilkat is creating a background thread that listens on that port, and receives the callback from the browser.
To say it another way: Your Xojo app will popup a browser to ask the Salesforce account owner for permission.
When the user clicks the button to grant permission, the browser sends an HTTP request to salesforce.com, which
sends a redirect response using the callback URL (which in this case is "localhost:3017"). This causes the browser to
redirect the request to the Chilkat background thread, which consumes the HTTP request (thus acting like an HTTP server for that one request),
and then sends the response to the browser.

The redirect to the chilkatsoft.com site is just caused by the default content in the OAuth2.RedirectAllowHtml property.
It contains HTML w/ a META refresh to a web page on chilkatsoft.com. You can change the RedirectAllowHtml property
to whatever you want -- either static HTML to be displayed, or potentially a META redirect to your own site.